ASX 200 Security Report - This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the ...

Page created by Fernando Obrien
 
CONTINUE READING
ASX 200 Security Report - This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the ...
August 2020

ASX 200
Security Report
This report begins to assess the scale and sources of cyber
risk in Australia by examining the ASX 200, the index of the
top 200 companies in Australia by market capitalization.

                     Trusted by hundreds of companies worldwide
ASX 200 Security Report - This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the ...
Table of Contents

Introduction	                                                                        1

Research Methodology                                                                3

Part 1 - Data Leaks                                                                 4
   Finding 1: Approx. 1/3 companies in the ASX 200 have data leaks                  4
   Finding 2: The number of companies with data leaks is increasing                 4
   Finding 3: Most of these data leaks remain public until reported by researcher   5
   Finding 4: More valuable companies are more likely to have data leaks            6
   Finding 5: Financials, Telecoms at risk                                          7
   Finding 6: Third party leaks putting companies at risk                           8

Part 2 - Security Ratings                                                           10
   Finding 1: Highest risk group decreasing in size                                 11
   Finding 2: Progress from good to great is stagnant                               12
   Finding 3: Most valuable companies continue to lead                              12
   Finding 4: Overall progress obscures uneven development                          13
   Finding 5: Email security the biggest problem                                    13
   Finding 6: Uniform, modest growth across industries                              14
   Finding 7: Company risk profiles are unique                                      15
   Finding 8: Company risk profiles are dynamic                                     16
   Finding 9: Large changes in underlying risk factors                              17

Part 3 - ASX 200 Companies and their security performance                           18

www.upguard.com                                                                       ii
ASX 200 Security Report - This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the ...
ASX 200 Security Report

Introduction
The internet allows each of us to            can make corporations into targets for
connect with people anywhere in the          state-backed attackers to disrupt and
world and access all of humanity’s           embarrass.
digitized knowledge. Conversely, it
                                             This report begins to assess the
allows criminals to launch sophisticated
                                             scale and sources of cyber risk in
attacks across the globe without
                                             Australia by examining the ASX 200,
leaving their couches, and for nation-
                                             the index of the top 200 companies
states to wage concealed and costly
                                             in Australia by market capitalization.
war on their adversaries. With the
                                             Using proprietary software developed
any benefits that the internet offers–
                                             by UpGuard, this research looks at
particularly in the context of reducing
                                             two factors that make organizations
the spread of COVID-19– there are also
                                             susceptible to breach. The first factor
risks.
                                             is data leaks: information that is meant
The form that risk tasks is a function       to be kept internal to an organization,
of the social and political environment.     like passwords for administering
Consumers have been taught primarily         systems, but has instead been left
to think of cyber risk in terms of credit    publicly accessible somewhere on the
card theft and identity fraud– the digital   internet. The second factor are security
equivalent of getting mugged on the          ratings: how securely configured are
sidewalk. But there are also higher          an organizations’ internet-accessible
stakes. UpGuard has contributed to           digital assets. To put it simply, these
research on how the collection and           address the questions of how much
sale of personal information can be          sensitive data is being pushed out of
used to destabilize democracies, like in     a company’s perimeter, and how easy
the case of Cambridge Analytica. And         would it be to break into that perimeter.
hostile relationships between nations

www.upguard.com                                                                       1
19%
                              For years, the UpGuard Cyber Research team has
                              investigated data leaks, showing that this problem–
                              sensitive information inadvertently made public
                              through misconfigurations and other mistakes– affects
                              organizations of all sizes, industries, and geographic
OAIC-reported increase in
Notifiable Data Breaches in
                              locations. How and why data leaks occur has changed
the second half of 2019.      over time as new technologies emerge and old ones
                              evolve, but the problem as a whole has only increased
                              as the amount of data and number of digital workers
                              create more opportunities for such errors to occur.

                              Under the Office of the Australian Information
                              Commissioner definition of data breach– incidents
                              where “personal information is accessed or disclosed
                              without authorisation or is lost”– data leaks would
                              be a class of breach. Our research into data leaks
                              goes beyond just personal information, however, to
                              include credentials and other information that could
                              reasonably be used to compromise the availability,
                              integrity, or confidentiality of protected data.

                              Since 2018, the Office of the Australian Information
                              Commissioner has tracked and reported on Notifiable
                              Data Breaches. In the second half of 2019, they noted
                              a 19% increase over the same period the previous year.
                              The concern now is not only that those trends would
                              continue, but that an increasingly hostile threat actor
                              environment could drastically increase the number
                              and scale of those events. A significant number of
                              notifiable data breaches are small scale events due
                              to human error, like sending one email to the wrong
                              recipient, but for those involving a malicious cyber
                              event, misappropriated credentials are the leading
                              cause. Our research on the exposure of sensitive data
                              like credentials suggests part of the cause of such
                              events, and the potential for more to come.

www.upguard.com                                                                      2
Research Methodology
The UpGuard Research Team uses a             The purpose of the human analysts
combination of proprietary software          is to confirm that the data represents
and human analysts to detect, classify,      a leak rather than intentionally public
and verify data leaks. These searches        information, and to identify the
are driven by keywords that indicate         organizations affected. Data leaks are
a resource is relevant to a company.         any information that can be confirmed
This is the same concept as using any        to be intended only for internal
search engine, except that instead of        audiences and pose some level of risk.
indexing pages on the clear web, the         Most findings that are classified as
Data Leaks engine indexes the deep           confirmed data leaks are credentials
and dark webs. Expanding the number          related to an organizations systems,
of keywords used increases the number        as credentials can easily be confirmed
of results and the potential for finding a   as not intended for public distribution.
leak, but also increases the human time      Less frequently, data leaks can also
needed for analysis. For the purpose         include obviously private business
of this study, only the company’s            information, system architecture
name was used as a keyword in order          schematics, or employee/customer
to create a methodology that was as          personally identifiable information (PII).
fair as possible to each organization.
                                             In this study, UpGuard compared data
For large companies like these, which
                                             leaks searches from May 2019 to June
often have many separate business
                                             2020. While the companies included
units, many keywords are necessary
                                             in the ASX200 changed in that period,
to canvass their footprint, but limiting
                                             these two data sets help us understand
each search to one keyword ensures
                                             the present risk that data leaks pose
a uniform process for generating a
                                             for Australian companies, and highlight
conservative estimate.
                                             trends in how data leaks affect the
                                             most valuable companies.

www.upguard.com                                                                       3
Part 1

Data Leaks
Approx. 1/3 companies in the
ASX 200 have data leaks
                                                     32.5%
                                                     UpGuard analysts found data leaks
In an initial assessment of the data leaks from      from 65 companies in the ASX 200.
the ASX 200, UpGuard analysts confirmed data
leaks from 65 companies, or 32.5%. This number
is very conservative: the preliminary search used
only one keyword per company and only includes
findings that could be confidently attributed to
each entity. UpGuard analysts have performed
research on behalf of over a thousand companies
using as many keywords as possible and have
found leaks for around 60% of them. Companies
the size of those listed on the ASX 200 would
typically use twenty-five keywords to cover their
brand footprint.

The number of companies with
data leaks is increasing
Using the same methodology a year ago, leaks
were detected for 58 companies in the ASX 200.
As percentages, 29% of companies had leaks in
2019, while 32.5% had leaks in 2020– a modest
but noticeable increase. The growth in leaks can
be attributed to both the changing makeup of
the ASX 200 and the increased digitization of
companies that were stable between the two time
periods, which is discussed further in relation to
data leaks compared to market capitalization.

www.upguard.com                                                                          4
When companies are made
aware of data leaks, they take action
to remove them, and that in the
absence of external researchers,
those companies remain unaware...

Most of these data leaks remain public until they are
reported by a researcher
Data leaks are typically public for either   aware of data leaks, they take action
very short periods of time, as the           to remove them, and that in the
person responsible immediately realizes      absence of external researchers, those
their mistake and corrects (or hides) it,    companies remain unaware and at
or for very long periods of time, if they    risk. The long-lived nature of unknown
do not realize it at all. Approximately      exposures aligns with an OAIC finding
75% of exposures that were detected          that, of known data breaches where
in 2019 were still publicly available a      the cause was a cyber incident, 32%
year later in 2020, suggesting that the      involved credentials where the method
individuals responsible never realized       of acquiring them was unknown.
their mistake.                               The large volumes of credentials
                                             exposed through data leaks are not
Of leaks that had been detected
                                             being detected by the organizations
in 2019 and secured by 2020, 75%
                                             they affect, and may help explain the
of those had been disclosed to the
                                             significant percentage of data breaches
company by UpGuard. This suggests
                                             where the cause of credential loss is
that when companies are made
                                             unknown.

www.upguard.com                                                                    5
More valuable companies are more
likely to have data leaks
In 2019 and in 2020, the distribution of data leaks
correlates with increasing market capitalization. Larger
companies tend to have more employees, more vendors,
and more digital surface area. As mentioned earlier, the
total number of companies with leaks increased from 2019
to 2020. Slicing the companies into quartiles by market cap,
we see increases in leaks in the quartile of least valuable
companies and second most valuable companies. The
growth amongst the least capitalized companies on the
ASX 200 may be due to changes in which companies are
in the top 200, as more digital companies become more
valuable and thus create more digital exposure in the ASX
200. The increase of leaks amongst the more valuable
group of companies may be due to a capitalization position
that allows them to undertake digitization projects which
often result in leaks.

www.upguard.com                                                6
48%
Approx. 48% of Financial
                            Financials, Telecoms at risk
                            As in 2019, the industry with the most leaks was
                            Financials, but this needs the caveat that there are
                            also many Financials companies in the ASX 200.
companies had data leaks.
                            Adjusting for the number of Financials companies,
                            approximately 48% of Financials companies had data
                            leaks– still above the average of all companies in the
                            ASX 200 but not the leader. At the other end of the
                            spectrum, there are a small number of Utilities and
                            Telecoms companies, but a significant percentage of
                            the companies in each industry have data leaks.

www.upguard.com                                                                      7
Third party leaks putting
companies at risk
In addition to leaks that contain internal data for
companies, companies can be at risk from third parties
or consumer services where employees use business
emails. When employees’ data in other services can
be linked to their business emails, those individuals
are at risk for spearphishing, social engineering, and
credential stuffing attacks. Databases insecurely
configured for public access tend to have many
records, be short-lived, and can vary widely in the
sensitivity of the data, from passwords and third party
access credentials to marketing contact lists with no
personal information.

www.upguard.com                                           8
Four ASX 200 companies had over
one thousand employee email
addresses exposed in databases.

18,814
Unique ASX 200 business emails found.1

A total of around eighteen thousand      60% of notifiable data breaches
unique business email addresses for      affected fewer than one hundred
the ASX 200 were found in exposed        people; 32 of the ASX 200 companies
databases. Unlike the breaches           had at least 100 business emails
reported under the notifiable data       present in public databases. If these
breach scheme, the volume of data        had all been in one location, it would
in these exposed databases is very       have been in the 95th percentile of
large. 82% of notifiable data breaches   largest data breaches where the size is
affected fewer than one thousand         known.
people. Four ASX 200 companies
had over one thousand employee
email addresses involved in exposed
databases.

www.upguard.com                                                                9
Part 2

Security Ratings
Historically, cyber risk has been measured through a combination of
manual processes, employee surveys, and ad hoc automated scanning.

Those methods – which are limited             The aggregate score for a company
in scope, point-in-time, and slow to          is based on millions of underlying
execute – are not sufficient to keep          assessments, allowing for both granular
pace with the threat environment. In          and high-level analysis. In assessing
the July 2020 report on Australia’s           the risk of the ASX 200, some high level
Cyber Security Strategy, “automated,          categories are first examined before
real-time and bi-directional threat           looking into three categories of risk–
sharing mechanisms” are noted as an           website, network, and email security–
important part of improving situational       where companies start to show more
awareness. Security ratings provide           differentiation. As an initial foray, the
that capability: continuous, broad,           companies in the ASX 200 as of July
fully automated assessments of cyber          2020 are compared to their scores
risk that can be used to benchmark            from a year ago for simplicity’s sake,
companies and drive improvement.              but as the analysis will show, cyber risk
                                              is likely far more dynamic than can be
UpGuard Cyber Security Ratings (CSR)
                                              captured in annual benchmarking.
are a single, easy-to-understand
score from 0-950 that represent
an organization's cybersecurity
performance, similar to a consumer
credit score for cybersecurity. A
higher rating represents better
performance. These scores are based
on passive assessment of the security
configurations of an organization’s
public digital assets. For over ten million
organizations, UpGuard updates the
data and scores daily.

www.upguard.com                                                                      10
Highest risk group decreasing in
size
Comparing the overall distribution of UpGuard Cyber
Security Ratings for the ASX 200 in 2019 and 2020,
the groups with the lowest scores – those below
500 on the rating scale that goes up to 950 – have
decreased significantly. The bracket between 500
and 600 decreased by almost half from 31 to 17, and
the group scoring between 400 and 500 decreased
from 11 to 3. The small number of companies at the
very highest risk in 2019, those scoring below 400,
disappeared entirely. Those companies shifted into the
band of scores between 600 and 800, representing
good but not great security postures. Overall, this
trend is a positive sign, as reducing targets that are
“low hanging fruit” is the first step toward collective
resilience.

www.upguard.com                                           11
Progress from good to                       Most valuable companies
great is stagnant                           continue to lead
While companies at the bottom end           Grouping the companies in the ASX
of the risk spectrum appear to have         200 by market capitalization shows
shored up the highest risk factors, there   a consistent trend of more valuable
has been virtually no change in the         companies scoring slightly higher. The
number of companies scoring over 800        progress from 2019 to 2020 is also
out of 950. Addressing the highest risk     more or less evenly distributed, as
issues can help avoid falling prey to low   every quartile has improved, though
complexity attacks, but there remains       with more room to grow the lower
significant room for improvement to         quartiles made more progress.
prevent more sophisticated efforts.

www.upguard.com                                                                  12
Overall progress                            Email security the
obscures uneven                             biggest problem
development                                 All quartiles of companies tended to
The CSR provides a high level scoring       improve their website and network
mechanism for comparing the huge            security, with big gains in the lowest
numbers of technical factors across         quartile group. From this we can infer
companies’ digital footprint. Digging a     part of a maturity model whereby
little deeper into the categories of risk   companies currently start to improve
factors shows more variation than the       their information security with low
overall score. The lowest quartile of       hanging fruit in website and network
companies made large improvements           security. We can see that after those
in their website and network security,      issues are resolved, there is not a clear
improving by 49 and 54 points in each       path forward. Three out of four of the
category, while dropping almost 30          quartiles decreased their email security
points in email security.                   score, with the most dramatic slide
                                            happening amongst the most valuable
                                            quartile of companies. Issues with email
                                            security can make it easier for attackers
                                            to forge the domain that appears to be
                                            sending the email, which result in more
                                            effective phishing attacks.

www.upguard.com                                                                    13
Uniform, modest growth across
industries
Similar to what we saw when slicing the ASX 200 by
market capitalization, grouping companies by industry
reveals modest differences and a consistent trend of
improvement. Utilities had the lowest average score in
2019 and in 2020 but improved from 596 to 628 during
that time period. At the other end of the spectrum,
Telecom companies had the highest average score in
both years: 685 in 2019 and 711 in 2020. In general,
though, industry is not a strong predictor of cyber
security score, as the average for every industry but
Telecoms falls somewhere in the 600-700 range.

www.upguard.com                                          14
22
Companies had an email
                               Company risk profiles are unique
                               Whether we group by market capitalization or industry,
                               average scores look fairly similar. When we dig a little
                               bit lower into the risk categories of website, networks,
security score of above 800.
                               and email security, differences in trends begin to

9
                               appear. Across industries, the ASX 200 score best on
                               network security, well on website security, and poorly
                               on email security.

                               The most important finding, however is what we see
Companies had an email         when we remove those groupings and look at those
security score of above 900.   risk categories for each company. The poor average
                               score in email security, for example, obscures that
                               more than twice as many companies have very good
                               email security than there are companies with very
                               good security in general. Nine companies have an
                               overall score over 800; twenty-two companies have an
                               email security score above 800, and nine of those are
                               above 900. Regardless of industry or size, a company
                               needs to inspect its and its vendors risk factors to
                               understand their unique risk posture.

www.upguard.com                                                                      15
Company risk profiles are
dynamic
We can dig further into the individual risk
                                                  172
                                                  Companies improved their score
profiles of companies by comparing how they       in at least one category.
scored in each of the categories of website,

                                                  161
network, and email security in 2019 and 2020.
172 companies improved their score in at least
one category from 2019 to 2020. At the same
time, 161 companies decreased their score in at
least one category. Every company experienced
                                                  Companies decreased their score
change in one direction or another, and 134
                                                  in at least one category.
companies improved at least one category
while also declining in another category.

www.upguard.com                                                                16
109
Companies improved their
                            Large changes in underlying risk
                            factors
                            Approximately half of the companies improved and
website security score..    declined in each category, which helps explain how
                            these very real risks can be averaged out in high level

88
                            analysis of industries or other cohorts. For example,
                            109 companies improved their website security score
                            while 88 companies declined, and the same was true
                            for the other risk categories. Those changes were not
                            insignificant, either; 23 of those companies improved
Companies decreased their
                            by more than 100 points while 15 declined by more
website security score.
                            than 100 points.

                            The same trends are true for network and email
                            security, with similar numbers of companies
                            making large moves for better and worse. If there
                            were, crudely speaking, good companies and bad
                            companies, those changes would result in polarization
                            of the overall score. Instead, as we saw, the overall
                            scores are gravitating toward the middle because the
                            same companies are improving in one category at the
                            same time they are declining in another.

www.upguard.com                                                                   17
Part 3

ASX 200 companies and their
security performance
 ASX      Company                             2019   2020   Change

 ABP      Abacus Property Group               802    706      -96

 ABC      Adelaide Brighton Ltd               783    788      +5

 APT      Afterpay Ltd                        864    867      +3

 AGL      AGL Energy Ltd                      787    789      +2

 ALQ      Als Ltd                             691    692      +1

 ALU      Altium Ltd                          728    703      -25

 AWC      Alumina Ltd                         535    545      +10

 AMC      Amcor Plc                           800    727      -73

 AMP      AMP Ltd                             710    690      -20

 ANN      Ansell Ltd                          729    667      -62

 ANZ      Australia and New Zealand Banking   798    803      +5
          Group Ltd

 APA      APA Group                           756    783      +27

 APE      AP Eagers Ltd                       731    623     -108

 APX      Appen Ltd                           757    750      -7

 ARB      ARB Corporation Ltd                 578    627      +49

 ALL      Aristocrat Leisure Ltd              758    773      +15

 ASX      ASX Ltd                             780    780      +0

www.upguard.com                                                      18
ASX      Company                         2019   2020   Change

 ALX      Atlas Arteria                   803    756      -47

 AZJ      Aurizon Holdings Ltd            841    808      -33

 AST      Ausnet Services Ltd             743    792      +49

 ASB      Austal Ltd                      504    682     +178

 AVH      Avita Medical Ltd               798    846      +48

 BAP      Bapcor Ltd                      504    461      -43

 BPT      Beach Energy Ltd                713    846     +133

 BGA      Bega Cheese Ltd                 770    781      +11

 BEN      Bendigo and Adelaide Bank Ltd   796    767      -29

 BHP      BHP Group Ltd                   776    716      -60

 BIN      Bingo Industries Ltd            434    685     +251

 BKL      Blackmores Ltd                  753    764      +11

 BSL      Bluescope Steel Ltd             780    733      -47

 BOQ      Bank of Queensland Ltd          718    776      +58

 BLD      Boral Ltd                       749    656      -93

 BXB      Brambles Ltd                    685    574      -111

 BVS      Bravura Solutions Ltd           788    853      +65

 BRG      Breville Group Ltd              864    785      -79

 BKW      Brickworks Ltd                  764    745      -19

 BWP      BWP Trust                       675    637      -38

 CTX      Caltex Australia Ltd            762    730      -32

www.upguard.com                                                  19
ASX      Company                          2019   2020   Change

 CAR      Carsales.com Ltd                 782    658     -124

 CBA      Commonwealth Bank of Australia   825    810      -15

 CCL      Coca-Cola Amatil Ltd             797    776      -21

 CGF      Challenger Ltd                   761    759      -2

 CQR      Charter Hall Retail REIT         792    756      -36

 CLW      Charter Hall Long Wale REIT      792    756      -36

 CHC      Charter Hall Group               792    756      -36

 CNU      Chorus Ltd                       730    786      +56

 CIM      Cimic Group Ltd                  829    745      -84

 CWY      Cleanaway Waste Management Ltd   599    563      -36

 CUV      Clinuvel Pharmaceuticals Ltd     770    770      +0

 COH      Cochlear Ltd                     779    755      -24

 COL      Coles Group Ltd                  765    801      +36

 CKF      Collins Foods Ltd                750    699      -51

 CPU      Computershare Ltd                754    736      -18

 COE      Cooper Energy Ltd                575    596      +21

 CGC      Costa Group Holdings Ltd         446    442      -4

 CCP      Credit Corp Group Ltd            623    827     +204

 CMW      Cromwell Property Group          651    627      -24

 CWN      Crown Resorts Ltd                760    766      +6

 CSL      CSL Ltd                          816    785      -31

www.upguard.com                                                   20
ASX      Company                            2019   2020   Change

 CSR      CSR Ltd                            551    738     +187

 DXS      Dexus                              674    679      +5

 DHG      Domain Holdings Australia Ltd      751    773      +22

 DMP      Domino's PIZZA Enterprises Ltd     770    786      +16

 DOW      Downer Edi Ltd                     587    703     +116

 ELD      Elders Ltd                         731    635      -96

 EML      EML Payments Ltd                   765    699      -66

 EHE      Estia Health Ltd                   689    694      +5

 EVN      Evolution Mining Ltd               589    664      +75

 FLT      Flight Centre Travel Group Ltd     586    694     +108

 FBU      Fletcher Building Ltd              791    615     -176

 FMG      Fortescue Metals Group Ltd         823    779      -44

 FPH      Fisher & Paykel Healthcare         753    757      +4
          Corporation Ltd

 GEM      G8 Education Ltd                   729    716      -13

 GOR      Gold Road Resources Ltd            760    760      +0

 GMG      Goodman Group                      678    764      +86

 GPT      GPT Group                          722    718      -4

 GNC      Graincorp Ltd                      634    691      +57

 GOZ      Growthpoint Properties Australia   717    734      +17

 GUD      G.U.D. Holdings Ltd                589    561      -28

www.upguard.com                                                     21
ASX      Company                            2019   2020   Change

 GWA      GWA Group Ltd                      732    723      -9

 HVN      Harvey Norman Holdings Ltd         675    675      +0

 HLS      Healius Ltd                        662    656      -6

 HUB      HUB24 Ltd                          746    812      +66

 IAG      Insurance Australia Group Ltd      812    764      -48

 IEL      Idp Education Ltd                  756    793      +37

 IGO      IGO Ltd                            709    675      -34

 ILU      Iluka Resources Ltd                837    839      +2

 IPL      Incitec Pivot Ltd                  536    697     +161

 INA      Ingenia Communities Group          480    652     +172

 ING      Inghams Group Ltd                  714    727      +13

 IVC      Invocare Ltd                       760    778      +18

 IFL      IOOF Holdings Ltd                  808    812      +4

 IPH      IPH Ltd                            551    494      -57

 IRE      Iress Ltd                          736    716      -20

 JHX      James Hardie Industries Plc        627    692      +65

 JHG      Janus Henderson Group Plc          833    712      -121

 JBH      JB Hi-Fi Ltd                       844    795      -49

 JIN      Jumbo Interactive Ltd              580    465      -115

 LLC      Lendlease Group                    742    718      -24

 LNK      Link Administration Holdings Ltd   790    806      +16

www.upguard.com                                                     22
ASX      Company                               2019   2020   Change

 LYC      Lynas Corporation Ltd                 608    492      -116

 MQG      Macquarie Group Ltd                   732    751      +19

 MFG      Magellan Financial Group Ltd          792    796      +4

 MYX      Mayne Pharma Group Ltd                728    672      -56

 MPL      Medibank Private Ltd                  749    748       -1

 MTS      Metcash Ltd                           802    779      -23

 MIN      Mineral Resources Ltd                 615    589      -26

 MGR      Mirvac Group                          709    719      +10

 MMS      Mcmillan Shakespeare Ltd              665    646      -19

 MND      Monadelphous Group Ltd                636    640      +4

 NAB      National Australia Bank Ltd           790    772      -18

 NAN      Nanosonics Ltd                        654    510     -144

 NSR      National Storage REIT                 707    623      -84

 NEA      Nearmap Ltd                           786    683     -103

 NWL      Netwealth Group Ltd                   789    818      +29

 NCM      Newcrest Mining Ltd                   754    775      +21

 NHC      New Hope Corporation Ltd              716    731      +15

 NWS      News Corporation                      736    746      +10

 NXT      NEXTDC Ltd                            813    788      -25

 NHF      Nib Holdings Ltd                      793    812      +19

 NEC      Nine Entertainment Co. Holdings Ltd   728    674      -54

www.upguard.com                                                        23
ASX      Company                          2019   2020   Change

 NWH      NRW Holdings Ltd                 737    728      -9

 NST      Northern Star Resources Ltd      637    637      +0

 NUF      Nufarm Ltd                       720    749      +29

 OSH      Oil Search Ltd                   792    749      -43

 OML      Ooh!Media Ltd                    675    668      -7

 ORI      Orica Ltd                        640    682      +42

 ORG      Origin Energy Ltd                797    790      -7

 ORE      Orocobre Ltd                     619    699      +80

 ORA      Orora Ltd                        679    679      +0

 OZL      OZ Minerals Ltd                  756    738      -18

 PDL      Pendal Group Ltd                 836    844      +8

 PRN      Perenti Global Ltd               447    599     +152

 PPT      Perpetual Ltd                    753    745      -8

 PLS      Pilbara Minerals Ltd             574    561      -13

 PNI      Pinnacle Investment Management   808    713      -95
          Group Ltd

 PTM      Platinum Asset Management Ltd    692    699      +7

 PNV      Polynovo Ltd                     546    773     +227

 PMV      Premier Investments Ltd          510    551      +41

 PME      Pro Medicus Ltd                  247    472     +225

 QAN      Qantas Airways Ltd               785    804      +19

www.upguard.com                                                   24
ASX      Company                              2019   2020   Change

 QBE      QBE Insurance Group Ltd              799    782      -17

 QUB      QUBE Holdings Ltd                    664    692      +28

 RHC      Ramsay Health Care Ltd               646    694      +48

 REA      REA Group Ltd                        810    800      -10

 RRL      Regis Resources Ltd                  773    514     -259

 RMD      Resmed Inc                           776    715      -61

 RIO      RIO Tinto Ltd                        640    775     +135

 RSG      Resolute Mining Ltd                  692    694      +2

 RWC      Reliance Worldwide Corporation Ltd   813    790      -23

 SFR      Sandfire Resources Ltd               554    662     +108

 STO      Santos Ltd                           776    745      -31

 SAR      Saracen Mineral Holdings Ltd         685    757      +72

 SCP      Shopping Centres Australasia         766    889     +123
          Property Group

 SCG      Scentre Group                        770    760      -10

 SEK      Seek Ltd                             815    758      -57

 SSM      Service Stream Ltd                   680    733      +53

 SVW      Seven Group Holdings Ltd             580    689     +109

 SLR      Silver Lake Resources Ltd            589    556      -33

 SGM      Sims Ltd                             656    699      +43

 SKC      Skycity Entertainment Group Ltd      538    525      -13

 SIQ      Smartgroup Corporation Ltd           767    832      +65

www.upguard.com                                                       25
ASX      Company                            2019   2020   Change

 SHL      Sonic Healthcare Ltd               717    661      -56

 S32      SOUTH32 Ltd                        760    706      -54

 SXL      Southern Cross Media Group Ltd     629    658      +29

 SPK      Spark New Zealand Ltd              771    707      -64

 SKI      Spark Infrastructure Group         716    741      +25

 SGR      The Star Entertainment Group Ltd   779    751      -28

 SBM      ST Barbara Ltd                     788    741      -47

 SDF      Steadfast Group Ltd                663    631      -32

 SGP      Stockland                          731    572     -159

 SUN      Suncorp Group Ltd                  789    781      -8

 SUL      Super Retail Group Ltd             370    638     +268

 SYD      Sydney Airport                     737    729      -8

 TAH      Tabcorp Holdings Ltd               788    773      -15

 TGR      Tassal Group Ltd                   527    494      -33

 TNE      Technology One Ltd                 728    741      +13

 TLS      Telstra Corporation Ltd            786    629     -157

 A2M      The a2 Milk Company Ltd            537    505      -32

 TPM      TPG Telecom Ltd                    600    630      +30

 TCL      Transurban Group                   810    777      -33

 CTD      Corporate Travel Management Ltd    631    685      +54

 TWE      Treasury Wine Estates Ltd          761    757      -4

www.upguard.com                                                     26
ASX       Company                                             2019           2020           Change

    UMG       United Malt Group Ltd                               694            694                +0

    URW       Unibail-Rodamco-Westfield                           758            780               +22

    VCX       Vicinity Centres                                    784            804               +20

    VUK       Virgin Money Uk Plc                                 903            841                -62

    VEA       Viva Energy Group Ltd                               781            806               +25

    VVR       Viva Energy REIT                                    561            580                +19

    VOC       Vocus Group Ltd                                     589            710               +121

    WEB       Webjet Ltd                                          698            808               +110

    WES       Wesfarmers Ltd                                      718            720                +2

    WSA       Western Areas Ltd                                   632            566                -66

    WBC       Westpac Banking Corporation                         798            775                -23

    WHC       Whitehaven Coal Ltd                                 352            732               +380

    SOL       Washington H Soul Pattinson &                       656            684               +28
              Company Ltd

    WTC       Wisetech Global Ltd                                 729            744                +15

    WPL       Woodside Petroleum Ltd                              798            806                +8

    WOW       Woolworths Group Ltd                                712            703                 -9

    WOR       Worley Ltd                                          855            855                +0

    XRO       Xero Ltd                                            803            741                -62

1
 A total of 18,814 email addresses matching the primary domains of ASX 200 companies were found. This
number omits tpg.com.au email addresses because these are given to customers, another 16,974 were also
found. The 95th percentile is based on summing the number of breaches in the bands up to 5,001-10,000 and
omitting the 18 where there size is unknown. There are 493 databreaches affecting 10,000 or fewer people out of
a total of 519 where the size is known.

www.upguard.com                                                                                             27
Questions? We have answers
We're here to help, shoot us an email at
sales@upguard.com

Know your vendors. Secure yourself.
Looking for a better, smarter way to protect
your data and prevent breaches?

UpGuard offers a full suite of products for
security, risk and vendor management teams.

                      Trusted by hundreds of companies worldwide

  www.upguard.com         723 N Shoreline Boulevard, Mountain View CA 94043, United States

  +1 888-882-3223
                          © 2020 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
                          logo are registered trademarks of UpGuard, Inc. All other products
                          or services mentioned herein are trademarks of their respective
                          companies. Information subject to change without notice.
You can also read